Webpack provides some guidance on different sourcemap options for development vs production, specifically:
eval*options for development (e.g.
source-mapoption for production
For an app that bundles its Custom UI with webpack this means that, during development, for
eval-source-map to work the Forge manifest must include:
permissions: content: scripts: - 'unsafe-eval'
However for production, it would be preferable to not allow unsafe script evaluation.
Is there a recommended technique for specifying different CSP settings for a Forge app for development vs production?
Currently the only choice seems to be either:
- Use ‘production’ source map settings in development (slower dev rebuilds), or
unsafe-evalin production (less secure)